Each bucket and object in Amazon S3 has an ACL that defines its access control
policy, which is a list of grants. A grant consists of one grantee and one permission.
ACLs only grant permissions; they do not deny them.